Navigating PIPEDA: What dietitians need to know

March 31, 2026

The Personal Information Protection and Electronic Documents Act is Canada’s federal private‑sector privacy law.

Updated: March 2026.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private‑sector privacy law. While it came into full force in January 2004, the law continues to evolve. In late 2025, the federal government introduced amendments through Bill C‑15, adding a new data mobility right, signaling ongoing modernization of Canadian federal privacy law.

What is PIPEDA?

PIPEDA is federal legislation that governs how private-sector organizations collect, use and disclose personal information during commercial activities.

The law aims to protect personal information from unauthorized access, use, disclosure, alteration, or loss while also giving individuals certain rights over their personal information.

Under PIPEDA individuals have the right to:

  • Know why their personal information is being collected.
  • Access personal information.
  • Request corrections to inaccurate information.
  • Request a transfer of their personal information between organizations participating in an approved framework (data mobility). 

When does PIPEDA apply to dietitians?

PIPEDA applies when dietitians are involved in commercial activities.

Examples include:

  • Operating a private practice and billing clients directly.
  • Selling products or services (such as meal plans, courses, or e-books).
  • Collecting personal information for payment processing or marketing purposes.
  • Participating in business activities involving personal data across provincial borders (for example, using cloud-based platforms).

PIPEDA defines commercial activity broadly as any transaction or conduct of a commercial character, this includes the selling, exchanging or leasing of membership or other fundraising lists.

When does PIPEDA not apply?

PIPEDA generally does not apply to dietitians working exclusively public-sector settings, such as public hospitals or government agencies, provided they do not engage in commercial activity.

In these settings, privacy obligations are typically governed by provincial legislation such as the Personal Health Information Protection Act, 2004 (PHIPA) in Ontario, along with organizational policies.

For dietitians working within private organizations engaged in commercial activity, the employer is responsible for PIPEDA compliance, but individual practitioners must follow the organization’s privacy policies. 

Dietitians covered by PIPEDA

PIPEDA applies when:

  • A dietitian is engaged in commercial activity, including billing clients directly, even if the business is small or part‑time (for example if you collect a home address and credit card number to process a sale).

What personal information is covered under PIPEDA?

PIPEDA protects personal information, which includes any information about identifiable individuals. Examples relevant to dietetic practice include:

  • name and contact information
  • demographic details
  • payment and billing information
  • family or personal circumstances
  • health information when collected as part of a commercial activity

What does PIPEDA require of dietitians?

PIPEDA requires dietitians to:

  • Obtain consent (express or implied, depending on context) unless another legal authority applies.
  • Clearly identify the purpose for collecting, using, or disclosing personal information.
  • Provide access and correction rights for individuals.
  • Maintain reasonable safeguards to protect information that matches the sensitivity of the information.

Health professionals also need to comply with Canada’s federal anti-spam legislation, which requires consent to send electronic messages of a commercial nature. 

What is the difference between PHIPA and PIPEDA? 

The Personal Health Information Protection Act:

  • Is Ontario’s provincial health‑specific privacy law.
  • Applies to Health Information Custodians (HICs) such as hospitals, physicians, dietitians, clinics, pharmacies, and labs.
  • Regulates personal health information (PHI) only.

The Personal Information Protection and Electronic Documents Act:

  • Is a federal private‑sector privacy law that applies across Canada.
  • Governs organizations engaged in commercial activity, including some health‑related services when provided commercially.
  • Covers all personal information, not just health information.

Table 1: Summary of differences between PHIPA and PIPEDA

This table provides a summary of the features of both laws. 

Features PHIPA PIPEDA
Jurisdiction Ontario (provincial) Canada-wide (federal)
Scope Health information only All personal information
Applies to Health Information Custodians Private-sector organizations in commercial activity
Key context Clinical care & health records Commercial transactions, business records
Consent model Implied within circle of care; express for others Meaningful consent required, often express
Regulator Information and Privacy Commissioner of Ontario Office of the Privacy Commissioner of Canada

 

In Ontario, PHIPA has been deemed “substantially similar” to PIPEDA for health information. As a result, PHIPA generally governs clinical care and health records, while PIPEDA usually applies to commercial activities involving personal information.

Privacy Breaches under PIPEDA

Since November 1, 2018, all organizations subject to PIPEDA — including small businesses — must follow specific breach reporting requirements. If a breach creates a real risk of significant harm, organizations must:

  • Report the breach to the Office of the Privacy Commissioner of Canada Notify affected individuals as soon as possible

Organizations must also keep records of all breaches, even those that do not pose a risk of significant harm, for at least 24 months from the date of the breach. 

Recent developments: Data mobility (Bill C‑15, 2025)

Recent amendments to PIPEDA introduce a data mobility right, allowing individuals to request that their personal information be transferred between organizations participating in approved frameworks.

Although implementation is still evolving this change may affect dietitians who use digital health platforms or practice management software capable of transferring client records between providers or systems.

What are my responsibilities under PIPEDA?

You must comply with PIPEDA if you:

  • Bill clients directly.
  • Operate a private practice.
  • Run a consulting business involving personal health information.
  • Participate in commercial activities such as selling products or providing fee‑for‑service programs.

If your employer (clinic, corporation, private practice group) controls the commercial activity, the organization bears primary responsibility for compliance — but you must be aware of and follow their privacy program.

Checklist for dietitians engaged in commercial activities

Dietitians should take steps to ensure their privacy practices align with PIPEDA requirements.

Key actions include:

  1. Determine whether your business activities are commercial.
  2. Assess how you collect, use, and disclose personal information.
  3. Review and document your current privacy practices.
  4. Develop a written privacy policy available to clients. Refer to the Privacy Toolkit for support.
  5. Create or update consent processes and consent forms.
  6. Review and establish privacy agreements with external service providers (for example, virtual care platforms, billing services).
  7. Designate a Privacy/Information Officer — for solo practitioners, this is you.
  8. Train any staff or contractors involved in handling personal information.
  9. Prevent privacy breaches and understand how and when to report them if they occur.
  10. Keep accurate records of all breaches, even if there is no risk of significant harm.

Where can dietitians get support?

Dietitians seeking additional guidance can consult:

  • The Office of the Privacy Commissioner of Canada provides ongoing guidance and publishes updates on PIPEDA reform.
  • The College of Dietitians of Ontario Practice Advisory Service offers resources and checklists for private practice privacy requirements (see Privacy Toolkit).
  • For legal advice, consult your own privacy lawyer, especially if handling sensitive client data or using digital platforms.

References

College Standards, Guidelines, and other articles
College of Dietitians of Ontario (2025). Professional Billing Standards & Guidelines.
College of Dietitians of Ontario (2024). Advertising and Marketing Standards and Guidelines.
College of Dietitians of Ontario. (2020). Privacy of Personal Information Dietetic Practice Tool Kit.
College of Dietitians of Ontario. (2020). Privacy Breaches: Obligations for Dietitians. 

Legislation

Federal
Canada’s Anti-Spam Legislation
Personal Information Protection and Electronic Documents Act (PIPEDA)

Provincial
Personal Health Information Protection Act, 2004 (PHIPA)